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The aim of this note is to discuss the following quite queer 
Problem 1 Given 

• the free non- commutative polynomial ring, V := F(A"i, . . . ,Xn) (public), 

• a bilateral ideal I C ¥{Xi, . . . (private), 

• a finite set G :— {gi, . . . , gi} C I of elements of the ideal I (public), 

• a noetherian semigroup term-ordering ^, (private), on the word semigroup 



a finite subset H C r(l) of the Grobner basis T{\) of \ w.r.t. -< s.t., for 
each gi G G its normal form NF{gi, H) w.r.t. H is zero, 

by means of a finite number of queries to an oracle, which 

given a term t £ T returns its canonical form Can(r, I, -<) w.r.t. the ideal 



This queer problem has been suggested to us by [2] where a similar problem, 
but with stronger assumptions, is faced in order to set up a chosen-cyphertext 
attack against the cryptographic system proposed in [10p|. 




The formulation of Problem [T] is partially due to the underlying application 
but is also due to the structure of the Grobner bases in the non-commutative 

^Though we will breefly report on this application in Appendix we are not interested in 
dealing with it, preferring to refer to the recent survey [7]- 



r:= (Xi,...,X„) 



compute 



I and the term-ordering -<. 



□ 




setting, which in general are infinite; however, even if we restrict to the noethe- 
rian setting of the (commutative) polynomial ring V :— F[Xi, . . . ,X„], we are 
unable (as we will show through easy counterexamples) to produce an algorithm 
which allows to return the (while finite) Grobner basis of I , unless we have some 
further informations allowing to bound such basis; the best we can do is to solve 
the following reformulation: 

Problem 2 Given 

• the commutative polynomial ring, V :— V[Xi, . . . , Xn], 

• an ideal I C F[Xi, . . . , X„], 

• a noetherian semigroup term- ordering -< on the set of terms 

r:= W-..X^,(ai,...,a„) SN"}, 

• a degree bound of the elements of the Grobner basis T(\) of \ w.r.t. i.e. 
a value D G N satisfying D > d{\) :— max{deg(7i) : 71 G r(l)}, 

compute 

• the Grobner basis T{\) of \ w.r.t. -<, 

by means of a finite number of queries to an oracle, which 

• given a term t returns its canonical form Can(r, I, ^) w.r.t. the ideal 
I and the term-ordering -<. □ 

After recalling the basic notions and set up the notation (Section [1]) we solve 
first Problem[T](Section[2]) and next Problem[2](Section[3|) for which we propose 
a different, more combinatiorial, solution. 

We want to thank T. Moriarty and R.F. Ree for their precious apport. 

1 Notation and recalls on Grobner Bases 

We consider a (non-necessarily commutative) monoid T generated by the set of 
variables {Xi, . . . , Xji}, a field F and the monoid-ring V := Span][r(7"). 
For any set C 7^ we denote I C V the (bilateral) ideal generated by F. 
Each f £V can be uniquely expressed as 

/ = ^c(/,T)r G V; 

and we call support of / the set supp(/) :— {t E T : c{f, r) ^ 0}. 

Moreover, fixing a noetherian semigroup ordering ~< on 7", the leading term, 

leading coefficient and leading monomial of / are ordinately: 

T(/) max{r e supp(/)}, lc(/) c(/,T(/)) and M(/) := lc(/)T(/). 
For each ideal I C "P, we also consider 
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• the semigroup ideal T(l) := {T(/) : / G I}, 

• the Grobner sous-escalier'N{\) :=T\T(I) , 

• the vector-space F[N(I)] := Spanj.(N(l)), 

• G(l) C T(l) the unique minimal basis of T(l). 
We recall that for / e P and G C T, 

• / has Grobner representation in terms of G if 

/ = X] ^i^idjiPi, Cj e F \ {0}, Xi, Pi e T, g G, /i/ e N 

i=l 

with T(/) = AiT(ff,Jpi XiT{gj,)pi y---. 

• h := NF{f, G,-<) gV is a, normal form of / w.r.t. G, if 

— f — h € 1(G) has a Grobner representation in terms of G and 

- hj^O ^ T{h) ^ {XT{g)p :X,p€T,gGG}=: T(G). 

• For each f gV, there is a unique canonical form 

g:=Can{f,\,<)= ^ ^{f, t)t e¥{N{l)] 
teN(i) 

s.t. f-g€\. 

• A Grobner basis of I is any set F C I s.t. {T(7) : 7 e F} generates T(l). 

• The reduced Grobner basis of I is the set 

{T-Can(T,l,-<) :r G G(l)}. 

2 Oracle-supported Approximation of r(l) 

Let us now specialize T to be the word semigroup T := (Xi, . . . , X„) so that in 
particular the following holds: 

• for each term v <E T and variables Xi , Xr we have by definition 

XivXr G G(l) ^ Xiv G N(l),uX^ G N{\),XivXr G T(l); (1) 

• for each term t> G T and each variable X we have 

oj = vX G N(l) =^ vG N(l), uj = Xv€ N(l) =^ v€ N(l). (2) 
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If we ask our oracle the value of Can(T, I, for any term t € T, we can 
deduce whether 

1. r £ T(l) in which case we obtain also Can(T, I, or 

2. r e N(l) I. e. T = Can(T, I, -<). 
Procedure 3 We are assuming of having the sets 

supp(5j),.gj e G, 

so that, without needing to know the term- ordering -<, we can deduce the sets 

Tj := {t e supp(gj) : r f e supp(5j)}. 

Since for each j, there are t € Tj , X, p € T : t — AT(/)p for some f G r(l) 
e.g. r := T{gj) G T(l), we can produce a scheme, based on Equation (Qp, which 
in a finite number of steps produces an element of T{\); we choose the most 
suitable set Tj then repeatedly we 

• pick an element t G Tj, if t ^ T(l), simply remove it, otherwise: 

• for T = XiLu e T(l) we test whether uj G T(l) in which case we set t := to 
and repeat until we have an element r — Xiuj G T(l) for which u G N(l); 

• now, for Lo ~ vXr G N(l) we test whether Xiv G T(l), in which case we 
set a; := w G N(l) and repeat until we have an element XivXr for which 

Xiv G N(l),uX^ G n{\),XivXr G T(l) 

id est XivXr G G(l). 

Remarking that we also have 

G(l) 3 XivXr I r G supp(gj), 

we can solve Problem[J\by a repeated application of the scheme above as follows. ■ 
set H := 9 and repeatedly 

• apply the scheme above thus obtaining an element t G G(I) and the poly- 
nomial Can(T, I, 

• set H := H [J {t - Can(T, I, -<)}, G := {NF{g, H) : g e G} 
until G = {0}. 

At termination, which is granted by noetherianity, the set H satisfies the 
conditions required in Problem 1. 

Clearly, in the non-commutative case, where in general Grobner bases are 
infinite, we can not hope to produce the whole basis of I. 

■^Or, in order to mask our question — see the discussion on Bulygin assumption (B2) in 
the Appendix, — the values of Can(ZiTrt, I, -<) where h,rc S P satisfy t = JI]^ IcTTt, so that 

Can(T, I, ^) = ^ Can(«,Tr,, I, ^). 
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3 Oracle-supported Deduction of r(l) (commu- 
tative case) 

We begin by observing that also in the commutative case V = F[Xi, . . . ,X„], 
with deg{Xi) = l,Vl<i<n, a strong solution returning the complete basis 
of an ideal I C V can not be produced, unless further knowledge is assumed: in 
fact, given I C F[Xi, . . . , X„] and a value (5 e N, 5 < in general there are 
smaller ideals (see Remark [S]) J ^ I which satisfy 

{/el: deg(/) < <5} = {/ £ J : deg(/) < 5]. 

We recall the following definitions and facts: 

• For any t E T,l < i < n the Xi-th predecessor of t is y- if Xi \ r, 
otherwise we say that t does not have Xi-th predecessor. 

• B(l) C T(l), the border of the ideal, is defined by 
B(l) :={TeT(l) :31<*<n,^GN(l)}, 

• J (I) C T(l) the interior of the ideal, is defined by 
J(l) := {r e T(l) : VI < i < n, ^ G T(l)}, and 

• the unique minimal basis of T(l), G(l) C B(l), is characterized as 
G(l) := {r e B(l) : VI < i < n, e N(l)}. 

• For each /i,/2 G V, the S-polynomial of fi and f2 is 

5(A,/.):=lc(/.)-^^/.-lc(A)-^^A, 

where S := <5(/i,/2) :- lcm(T(/i), T(/2)). 

• A set G = {gi, . . . ,gs} is a Grobner basis of 1(G) iff for each i < j the 
S-polynomial S{gi,gj) has a Grobner representation in terms of G. 

• (Buchberger's Second Criterion) 

For each f,g,heV : T{h) \ lcm(T(/), T(.9)), if both S{f,h) and S{g,h) 
have a Grobner representation in terms of G, the same is true for S{f,g). 

• We also set d{\) := max{deg(C) : C ^ G(l). 

Let then J C ¥[Xi, . . . , Xn] := "P be an ideal, -< a noetherian semigroup 
term-ordering, r(J) = {71, . . . ,7s} the Grobner basis of J w.r.t. -< and 5 € N 
any degree value s.t. 6 > c?(J) + 1. 

Enumerate the variables and the Grobner basis elements in such a way that 
Xi ^ X2 ^ ■ ■ . ^ Xn and 



i < j <;=^ either 



deg(7,) > deg(7j) or 

deg(7,) = deg(7,) and T(7,) >■ T(7,). 
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Denoting 

n := mm{T G T(l),dcg(T) = 5 + 1} 
and di := deg(7i) < S, we necessarily have 

We also let ho := fl - Can(rj,J,^), so that lc(/io) = l,T(/io) = O = 
Xi"''=T(7s), and /i, := XaT,, 1 < i < s. We obtaii^l: 

Proposition 4 With the above notation it holds H := {hQ,hi, . . . ,hs} is a 
Grobner basis w.r.t. -< of the ideal I{H) = + (/lo)- 

Proo/ Clearly if S'(7i, 7^), 1 < i < i < s, has the Grobner representation in terms 
of r(J),S'(7i,7j) = CaTaje^, then S{hi,hj) = X2 CaTa^e^ = I] CqTq/i^^ 

a—l a—1 a—1 

is a Grobner representation in terms of H. 

Moreover, since Q = T(/io) andT(/is) = ^2T(7s) | lcm(T(/ij ), 1]), < j < s, 
as a direct consequence of Buchberger's Second Criterion, in order to prove the 
claim it is sufficient to show that the S-polynomial S{hs, ho) between ho and hs 
has a Grobner representation in terms of H. 

By assumption there 3 /i = fJ.ha,ci e N, 1 < a < s, G F \ {0}, G T, s.t. 
we have a Grobner representation 

A* 

J 9 ho = Q - Can(Q, J, ^) = lc(7s)-^X^'-^^7s + ^ c„r„7,„ 

Q = l 

where ji^ € r(J) and 

r! = Xf-'^-^T(7,) ^ riT(7,J ^ r2T(7,J ^ • • • ; 

thus we trivially obtain the required Grobner representation 

Qth h \ 1 ^-i^if^s.ho) -^^S{hs,ho) 

S{hs,ho) = \c{ho) -f(j;;^f^o-Hhs) T(/t ) " ^ 

= X2/lo-lc(7s)"'^f"''=(^27s) 

/J M 

= -^^2 ^ CQrQ7£^ = ^ CaTahi^ . 
a—l a—1 

□ 

Remark 5 -For any ideal J d V, noetherian semigroup term- ordering -<, and 
degree value (5 S N s.t. 6 > d{^) + 1, the two ideals \s '.= '^{H) and I := X2J 
satisfy both: 

{/ e U- : deg(/) < <5} = {/ e I : deg(/) < 5} and I C I5, 

•^Of course, our construction is indebted to the counterexample to Cardinal's Conjecture 
proposed in [9]. 
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with 

di\s)>6>d{J) + l = d{\). 

Thus, the algorithm we are going to sketch below applied to the (unknown) ideal 
1 5 returns the correct answer \s if the input data satisfy D > S + I, but returns 
the wrong answer I if S > D > d{^) + 1. 

That is, we actually need to assume to know an upper bound D for d{\) and only 
deal with terms belonging to the box 

B{D) := {X^^ • ■ • X^" e T : < Oi < D,V 1 < i < n}. 

□ 

We now give a combinatorial algorithm to solve Problem 2. 

Let u! = Xi ■ . . . ■ Xn, as = 1 e N(l), we take iteratively i G N, until 
either we find j £ N, j < D, such that cu^''^ G N(l) and uj^ G T(I) or cu^ G N(l). 
In this last case we can deduce that I = (O]0, otherwise, for the found j G N we 
begin deciding which of the following cases arises: 

Case 1 uj^ G G(l) (i.e. all the predecessors of uj^ are in N(l)), 

Case 2 lj^ G B(I) \ G(l) (i.e. at most n — 1 predecessors of oj^ are in N(l)), 

Case 3 uj^ G J(l) (i.e. all the predecessors of are in T(l)). 

To visualize the situation we identify T with N" thought as 

{x= {xi,...,Xn) G M" : Xi G N, 1 < i < n}; 

by 'line' (and one should better say 'half-line') of T we mean a set of aligned 
points of N" C M" and similarly for 'plane', 'hyperplane', 'simplicial complex' 
etc.. 

We point out that : 

- for n = 2, B(l) is a 'piecewise linear curve' C{\) consisting of contigu- 
ous horizontal and vertical 'segments' from which all the 'convex' vertices 
are removed and possibly the leftmost vertical segment and the bottom 
horizontal one are 'half-lines0; 

- for n > 3, B(l) is a 'simplicial complexly, consisting of contiguous shares 
of 'hyperplanes' each of them parallel to a 'coordinate hyperplane' (the 
closest to a coordinate one possibly being infinite) from which all the 
'protruding' i-th. facets with i < n — 2 are removed; 

*In fact each term t with deg(T) < D trivially satisfies r | uj-^ , i.e. G N(I) implies 
G(l) = 0. 

^As B(l) U {all the convex vertices} looks like the profile of a stair A. Galligo introduced 
the term escalier. 

^ Still called escalier. 
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- J(l) is the set of points lying above the escalier, 

- G(l) consists of the 'concave vertices' of the escalier, 

- N(l) is the set of points below the escalier (for this named sous- escalier). 

We will also call ^^-dimensional', ... , 'n — 1- dimensional' point of the escalier 
a point lying on a vertex , . . . , on a (n — l)-facet (and not in a lower dimensional 
one) noticing that the elements of G(l) are particular 'O-dimensional' points. 

From now on we will assume that 3j € N, j < D, such that u)^~^ G N(l) and 

w^' e T(l). 



3.1 Two v£iriables 

We distinguish between the three possible cases for co^ := X^Y^ and, through 
several steps, we construct G(l) : 

case 1 Lo^ G G(l) (the 'line' x = y meets T(l) in a 'concave vertex' of the escalier), 

I step: ti := oj^ = X^Y^ G G(l) and we store it (it could be the only 

generator) 

// step: starting from ti = ui^ G G(l) (found in step I), we need to 
consider X^yj+" and X^+^F^' as n,m e N*: 

a) examine X-'V-'+": 

(i) if Vn < D — j, X^~^Y^~^" G N(l), then there is no generator in 
G(l) with X-cxponcnt < j; 

(ii) if 3n = min{n : < n < D - j,X^-^Y^+"' G T(l)}, we let 
62 := j + n and 

- if Y''^ G T(l) then we set a2 := 

- otherwise we set 02 := max{a < j — 1 : X°'~^Y''^ G N(l)}, so 
that t22 '■= X"'^Y^^, with < a2 < j, 62 > j, is a new generator 

and we store it; 

b) examine Xi+'^Y^: 

(i) if Vm < D — j, X^'^"^Y^~^ G N(l), then there is no generator in 
G(l) with F-exponent < j; 

(ii) if 3m = min{0 < m < D - j : X^+^FJ-i G T(l)}, we let 

a2 := j + rh and 

- if e T(l) then we set ^2 := 

- otherwise we set ^2 ■= max{/3 < j - 1 : X^^y^-i g N(I)}, so 
that t2i ■= X°-^Y^^, with < /32 < i, 012 > j is a new generator 
and we store it ; 

ti is the only generator of T(l) iff at step // hold both a){i) and b){i), 
otherwise at least one further generator is found. 

case 2 ui^ G B(l) \ G(l) : have to distinguish whether the 'line' x = y meets T(l) 
in a 'vertical' or 'horizontal side' of the escalier. 
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a) X^-iyj' G N(I),XJYJ-i e T(l) ('vertical side' case), 

/ step : - if e T(l) then we set := 
- otherwise we set 

^1 := max{;3 < j : X^Y^^'^ e N(l)}, 

so that ti := X^Y^^ € Gl(l) and we store it (possibly the only 
generator) ; 

II step : 

(j) starting from ti := XJY^^ G G(l), if j < D we repeat 
the procedure described in case 1, step II b){i),{ii) possi- 
bly finding a new generator t2i '■= X"-^Yf^^ G G(l) with 
0<p2<Pi <j,D>a2>j; 
(jj) starting from co^ we repeat the procedure described in case 
1 step_//a)(i), (iz) possibly finding a new generator {22 '■= 
X^2Yb2 g G(l) with < a2 < j, ^ > 62 > j; 

b) X^yj-i e N{\),X^-'^Y^ e T(I) ('horizontal side' case), 

I step : - if Y^ G T(l) then we set ai := 

- otherwise we set cti := max{a < j : X°'~^Y^ G N(l)}, 
so that ii := X"^Y^ G G(l) and we store it (possibly the only 
generator); 

II step : 

(j) starting from ii := X'^^Y^ G G(l), ii j < D we repeat 
the procedure described in case 1, step IIa){i), (ii) possibly 
finding a new generator t22 := X"'^Y^'^ G G(l) with < a2 < 
Qi < j, -D > 62 > j; 
(jj) starting from oj^ we repeat the procedure described in case 
1 step lib), (i), (ii) possibly finding a new generator t2i := 
XS'2Yb2 g G(l) with 0<de2<j,D>b2> j; 

ti (rcsp. ti) is the only generator of T(l) iff at step II a) (rcsp. lib)) 
hold both a) {i) and 6) (i) of case 1 step //, otherwise at least one further 
generator is added. 

case 3 a;-' G J(l) (the 'line' x — y meets T(l) in a 'convex vertex' of the escalier), 

/step : by construction w^-i G N(l), thus X^-^Y^ ,XiYi-^ G B(l) (the 
first one in a 'horizontal' and the second one in a 'vertical side' of the 

escalier), operating on them respectively like in case 2 6) step / and 
case 2 a) step /. we get two generators; 

- ii2 :=X"ir^ 0<ai <j, 

- ill := X^y^S < ^1 < j; 

// step : 
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— operating on ti2 like in case 1, step II a){i), (ii) we possibly find a 
new generator t22 := X°'^Y''^ with < ^2 < cii < j, D > h2 > j 

— operating on tu like in case 1, step IIb){i), (ii) we possibly find a 
new generator t2i := X'^^Y^^ with < 02 < Pi < j, D > 6,2 > j; 

ill and ii2 are the only generators of I iff at step II hold both a){i) and 
b){i) of case 1 step II, otherwise at least one further generator is added. 

all cases III and further steps 

starting from the previous step generators (all of type ti2 :— X°'^Y^' with 
< Ui < . . . < j, D > bi > . . . > j ov til := X"-r^' with < /3i < . . . < 
j, D > ai > . . . > j) we operate like in case 2 step II{j) while D > bi and 
D> Ui 

The procedure stops because our possible degrees do not exceed the fixed 
bound D and we don't miss any generator since we are following the 
escalier point by point. 

Example 6 Let V =¥[X,Y], co = XY. 

1. \ = iX'^Y^,XY'^,X^Y,Y^),D = 8. 

We have e N{\),uj^ e T(l) and XY^,X^Y G N(l), thus g g(I); 
considering X^+^y, m < £> - 2 and XY'^+'', n < D - 2 we see that: 

min{n : XY^+" G T(l)} = 1, with Y^,XY^ G N(l), thus XY^ G G(l); 

min{m : X^+'^Y G T(l)} = 2, with X^Y,X'^ G N(l) thus X'^Y G G(l). 

Starting from XY^ we see that min{n : Y^+" G T(l)} = 5 thus Y^ G G(l); 
while, starting from X'^Y we see that G N(l), Vm < £) - 4, so that 

do not exist generators with null F-exponent. 

2. I = {X^Y^),D = 5. 

We have cji,a;2 g N(I), lo^ G T(I) with X^Y^ G N(l) and X^Y^ G T(l) 
thus we have to consider X^Y^-'^, < g < 3, as X^Y^ G B(l), X^y g N(I) 
we have X^Y'^ e G(l); moreover as X^+^F g N(l),Vm < £> - 3 and 
j^2y2+n g N(l),Vn < D - 2 we have that X^y^ jg ^j^g unique generator. 

3. I = (X2y4,X4y3),£) = 7. 

We have uj\iu^,uj^ G N(l), G T(l) with X^Y^,X^Y^ G B(l) thus we 
have to consider X^-PY'^,X^Y'^-'',p,q < 4, and we see that X^yS g 
G(l),X2y4 G G(l) are the only generators of I. 

3.2 n > 3 variables 

Using the 2-variablcs case as a first inductive step, we consider X„ as n*'' vari- 
able, added to Xi, . . . ,X„_i. Assuming wc are able to find all the minimal 
generators (up to the degree bound) of a monomial ideal in n — 1 variables, we 
will slice T in 'hyperplanes' a;„ = j,j < D, and we will argue by considering 
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the intersection Ej of the escalier with each one of them. One of the fohowing 
cases occurs: 

• Ej has dimension z < n — 2, so it does not contain any element of G(l), 

• Ej is n — 1-dimensional and so it contains some element of G(l), 

• Ej = 0. 

Remark 7 We point out explicitly that for any I =^ (0) there must exist at least 
one J G N with Ej hyperplanar. 

Moreover, as we already remarked, G N(l) => I = (0) and N(l) = 0. //, 
instead, for some j < D,lu^ £ T(l) then, necessarily, there is a t £ G(I),t | uj^ 
and thus Ej_i^- n G(l) ^ for some ,0 < < j. 

It is however possible that for some j < D, uj^ £ T(l) and Ej^h H G(l) — 
for each h,0 < h < D — j. This simply means that all generators o/T(l) have 
Xn~ degree hounded by j and that Ej = for each h G N. □ 

Step I: By applying the n — 1-variables algorithm to uj^ (on the 'hyperplane' x„ = 
j) we find a set of terms G(l)j^ from which, after cancelling all the terms 
a such that ^ G T(l), we get a set of terms G{\)j,,,j for which two 
possibilities arise: 

(i) G{\)j,„j ^ and we set G(l)i := G{\)j...j, 

(ii) otherwise, G{\)j,,,j — means that Ej is i < n — 2-dimensional and 
we have to iteratively consider :— X{ - ■ ■ Xl^_^X'^^^^^ ,\/ h < D-j, 
and w^'' :— Xf ■ ■ ■ X^^^^Xl"''- ,V h < j, until we find necessarily an 
Ej^h which is 'hyperplanar' and possibly also an Ej^h, which is 
'hyperplanar'; we then se10: 

- := mm{h < D — j, Ej^h 'hyperplanar'} (if it exists), 

- := min{/i < j, Ej^ii 'hyperplanar'}. 

By applying the n — 1-variables algorithm on both 'hyperplanes' Xn = 
j + hf and Xn — j — /ij^ (noticing that by assumption X( ■ ■ ■ X^^-^xl'^'^^ , 
X( ■ ■ ■ Xi^_^Xn ''^ e T(l)), after the above cancellation procedure, we get 
new sets of terms G{\) ^ ^ and G{\) ^ j. As we observed in Remark [7] it 
can not happen Ej^h nG(l) — %y h < j, i.e. at least G(l)^^ ■ ^% so that, 
setting : G(l)+ := G(l)+5 and G(l)r :- G(l)+5i we get 

0^G(l)i :=G(l)+UG(l)r, 

^Notice that if G(l)j...j ^ we must think of /i+ = hj" = 0. 

*Of course if ^h'^ we set G(l)]'' := noticing that if G(l)^ := do not exist generators 
with X„-exponcnt > j. We also note that if G(l)j...j ^ we can think G(l)i = G(l)^. 
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Step II a) V £7 = X^^ ■ ■ ■ X^TiXi e G{\)^ we move along the 'line' 

Xi — ai = X2 — 02 

x\- ai=xz- as 

— j ~ — 1, 

with the following two possible issues: 

(i) for all X^'+^ ■ ■ ■ X^l-j^"^^ Xf' e G(l)r and I < m&x{D - Ui} 
it holds 

^a,+i . . . x^"_-'+'x},-''^-' e N(i), 

that is the whole share of the 'hyperplane' a;„ = j — lying on 
T(l) actually belongs to B(l) (i.e. do not exist generators having 
X„-exponent < j — h^). 

(ii) 3X^'---X^'r^'xt''' e G(l)r and 

:=min{ieN* : • • • X^r^+'xr^^""' G T(l)} , 

that is the escalier does not exhaust T(l)n{^ G M" : a;„ = j—h^} 

(i.e. some X"^ ■ ■ ■ X"Zi^ Xn~'^^ G J(l) and do exist generators 
having X„-exponent < j — /ij"). In this case we consider itera- 
tively 

x^'—^ ■ . ■ x:-:^'^—^xi-'^-\ h<j-K 

until either we find /iai...a„_i > < /iai...a„_i < 3 ~ with. 

(so that E-u-u- is 'hyperplanar' thus containing some 

generators of I) or x^'+'-i -"-! . . . "-i g t(I) in 

which case we set = j — hi (so that j — —/iai...o„_i = 

and still Eq = E-_f^- ^ is 'hyperplanar' thus containing 

some generators of I). 
We then set 

^2 {^ai...a„-i above}. 

^r-<"T'^r''''eG(i)r 

By applying the n — 1-variablcs algorithm on the 'hyperplane' 
Xn = j — hi — h2 (the nearest-below which is || to Xn = j — 
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and contains generators of I) we find a set of terms G(l)^''2 from 
which we must erase aU the terms whose X„-predecessor he in 
T(l), getting, by construction, a non-empty: 

G(l)-''^ := G(l)-'^=" \ {a G G(l)-'^=" : ^ G T(l)}, 

which contains all the generators lying on the 'hyperplane' a;„ = 
j -h^ - 



and we let G(l)2 := 



in case (i) 

G(l)~''2 in case (ii) 



b) If G(l)+ ^ 0, wc fix any X^^ ■ ■ ■ X^^Si xi^^^ e G(l)+ : by iteratively 
applying (on each 'hyperplane' Xn — j -\- hi + h) the n — 1-variables 
algorithm to X^^ ■ ■ ■ Xl^_\^ xi^^^ , j + /i+ + /i < £) we find a set of 

terms G(l)^ from which, after cancelling all the terms u such that 
G T(l), we get a set G(l)2''' and two possibilities arise: 

(i) for all h,j + + h < D. G{\)^^ = which means that do not 

4; 



exist generators having X„-exponent > j + h^- 



(ii) 3h+ ^ mm{h,j + h+ + h < D : G(\)+'' / 0} and G(l)2 ' gives 
all the generators contained in the 'hyperplane" Xn — j + h^ 
(the upper- nearest || to Xn = j + hf which contains generators). 



Then we let G(I)J 



+ ._ 



in case (i) 

G(l)+'*^ in case (ii) 
We finally set G(l)2 := G(l)^ U G(l)2 • 

Further Steps : Starting from G(l)j_i = G{\)f_-^ U G{\)r_-^, V i > 3, we repeat: 

- if G{\)^_i for a fixed a G G(l)^j all the procedures of Step II 
a), possibly finding a non-empty G(l)^ and the relative X„-exponent 

j K- 

- if G(l)^lj / 0, for each a G G(l)^j aU the procedures of Step II b), 
possibly finding a non-empty G(l)^. 

The procedure stops because our possible degrees do not exceed the fixed 
bound D gW that is we find an nD(l) G N such that 

"0(1) 

G{\)<n = U G(l), 

i=l 

and we don't miss any generator since we have controlled the situation at 
each a;„-level. 
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Example 8 Let P = ¥[X, Y,Z],uj = XYZ. 
I = {XY^Z'^,Y'^Z^,X^Y^Z^,X'^Z),D = 8. 

We have g N{\),lo^ g T(I) with X^Y^ Z^ , X^Y'^ Z^ e T(l),X2y3_^3 g 

Step I We apply in the 'plane' z = 3 the 2- variables algorithm to = X^Y^{Z^): 
as X2y3(Z3) e N(l) and X^Y^{Z^) € T(l) wc consider X^Y^-i{Z^), 
q < 3 until X3y3-9(^3-) g ^^j^,^ X3y2~9(^3-) g or g = 3. 

Since X3y2(^3) g b^,) g^^d e N(l) we take X^Y^{Z^) and 

we store it (recalling that cj^ G N(l)). Starting from X^Y'^{Z^) wc con- 
sider X3+'"r(z3),m < 5, and, since X'^Y{Z^),X'^{Z^) G B(l), we store 
X'^{Z^). Starting from X^Y^{Z^) we look whether 

3z/:=min{n: X^Y^+'^iZ^) GT(l),3 + n<8} 

and we find = 2 as X^Y^{Z^) G B(l) from which, by considering 
X'^-PY^{Z^),p < 2 until X'^-pY^{Z^) g B(I) and X'^-pY^{Z^) g N(I) or 
p = 2, wc obtain Y^{Z^) G T(l) and wc store it. We stop here as the 2- 
variables algorithm on the 'plane' z = 2> does not produce other elements. 
Dividing by Z each a G {X^Y"^ Z^ , X"^ Z^ ,Y^ Z^} we get G(l)i = {Y^Z^] 
(as X3y2^3,x4z2 G T(l)). 

Step II a) We look whether 3/o,5 := min{Z : X^+^Y^+^Z"^ G T(l),; < 8)} and 
we get Zo,5 = 3 (as X^Y^Z^ G T(l) and X'^Y'^ Z"^ G N(l)), we then 
consider X^Y^{Z'^) on the 'plane' z = 2 and, by applying the 2- 
variables algorithm, we get X^Y'^Z'^ G T(l) and X'^Z'^ G T(l) to 
be stored and, since dividing by Z, we get X^Y^Z G N(l) while 
X'^Z G T(l), we have G(l)^ = {X^Y'^Z'^}. 

b) Let's now look to what happens on the 'planes' z = 3 + h,h < ^. 

Knowing that X^Y^Z"^ G T(l) we must apply the 2-variables algo- 
rithm to X^Y^{Z'^) on the 'plane' z = 4 obtaining as output the 
set 

{XY^{Z*),X^Y^{Z'^),X'^{Z'^)} 

and, as we have X^Y^Z^,X*Z^ G T(l) but XY^Z^ G N(l) we set 
G{\)t = {XY^Z*} and finally G(l)2 = {XY^ Z\X^Y^ Z^}. 

Step III a) We look whether 3^3,2 := min{; : X^+^Y^+^Z G T(l), I < 6} and we 
find Z3,2 = 1 (as xW^Z G T(l) and X^Y'^Z G N(l)), we then apply 
the 2-variables algorithm to X^Y^{Z) on the 'plane' z ~ 1 finding 
only X'^Z G B(l) to be stored and divided by Z and, as G N(l), 
we set G(l)3 = {X^Z}. 

b) Let's now look to what happens on the 'planes' z = 4 + h,h < 4:, 
knowing that XY^ Z'^'^^ G T(l) we apply the 2-variables algorithm 

to Xy3(Z4+''), < 4; at each step we get 

{XY^{Z^+'^), X^Y^{Z^+''), X\Z^+''), Y^Z^+'')} 
and since all elements are trivially to be discarded we get G(l)3' = 0. 
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Further Steps Finally, since X'^+^Y°+^ G N(I),V/ < 8, we deduce that there is no 
generator with null Z-exponent, i.e. 6(1)4 = 0. Since we also have 
0(1)3' = 0, the algorithm terminates and we can conclude that G(l) = 
{XY^Z\ X^Y^Z^,X*Z, Y'^Z^}. 

4 A cryptographic application 

The survey [7] reports on a class of cryptosystems whose scheme has been in- 
dependently proposed by B. Barkee et al. [T] and by Fellows-Koblitz [3J HI 
[51 [B]. Such schemes are defined on the commutative polynomial ring V = 
F[Xi, . . . , Xn] and consist in: 

1. writing down an easy-to-produce Grobner basis F = {71, . . . , 7^} generat- 
ing an ideal I := 1(F) C V and 

2. publishing a set G :— {gi, . . . , gi} C I of polynomials in V and a set 

T:={Ti,...,T„JcN(l)=r\T(l) 
of normal terms belonging to the Grobner sous-escalier of I; 

3. in order to send a message M :— J^iLi ^i^i ^ Spanj.(T), Bob (the sender) 
produces random polynomials pj G "P, 1 < j < l,Aeg(pj) = 3j, and en- 
crypts M as C := M + X]'=i Pj9j'^ 

4. Alice (the receiver), possessing the Grobner basis of I, applies Buchberger's 
reduction to obtain Can(C, I, ^) = M = Y^^i Ci^i- 

Rai fTO| proposed essentially the same system in the setting of the non- 
commutative polynomial ring V = F(Xi, . . . , X„): in his example the bilalteral 
ideal I is principal: 

I := 1(F) C 7^, F = {7} 

and the published set G :~ {.gi, . . . , gi} C I is defined as gi := hijli for random 
elements hiji G V. 

We now describe a Bulygin-like (see 0) chosen-cyphertext attack on Bar- 
kee's cryptosystems under the assumption of knowing 

(B.l). the set G(l) := {T(7,) : 1 < i < s} and 

(B.2). for each 7^ G F, a set of pairs {si,ti) of terms s.t. Siwti ^ T(l) for each 
w G supp(7i). 

Assuming the cryptoanalyst has temporary access to the decryption black 
box, according Bulygin's attack, he then builds fake cyphertexts 

:= SiT{'-fi)ti + ^pjgjqj; 
3 
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the decripted version of this message being 

Can(Q, I, ^) = C(in{siT{gi)ti, I, -<) = s, Can(T(gj), I, -<)ti 

thus the attack allows him to read •ji = Tiji) — Can(T(7i), I, ^). 

Before discussing the relation between Bulygin's assumption (B.l) and our 
oracle-based algorithm, let us consider the queer assumption (B.2); it is justified 
by Bulygin as a tool for masking his attacks: Polynomial ti,Si are chosen for 
masking the "fake" cyphertext ([2], pg.2) 

Assumption (B.2) is however completely useless: this "masking" in fact can 
be performed simply by choosing any set of polynomials lu^ru G V satisfying 
T(7i) = Z)t'f^T(7i)rit, thus we obtain 

Can(T(7,), \,<)=J2 Can(/„T(7,)r,„ I, 

and we thus succeed in crashing the system via the fake cyphertexts liiT('yi)rii. 

As regards assumption (Bl), our investigation on the presented procedures 
was suggested by the aim of providing a tool to produce the set G(l) and thus 
showing that assumption (Bl) was unnecessary; however this is not true, except 
in the commutative case where we can cryptoanalyse a Barkee's scheme via our 
solution to Problem 2, provided we know a bound for the degrees. 

In fact we must stress that our solution of Problem [7] does not allow to 
reconstruct the set G(l), thus satysfying the necessary request (Bl) by Bulygin, 
nor to cryptoanalyse a non-commutative Barkee 's scheme: all we can do is 
to produce a subset H ~ {hi, . . . , h„i} C G(l) of the Grobner basis r(l) = 
{71, . . . , 7s} — used by Alice, via Buchberger's reduction, in order to read any 
message M encrypted as C = M + Yl^j^iPj9j1j — sufBcicnt to produce a 
Grobner representation 

9] '^^c^jX^Jh,^^p,j,T{gJ) = AijT(/i,,,Jpij y X2jT{h,^^)p2j >- . . . 

i 

of each public element gj G G. Is this sufficient to obtain a Grobner repre- 
sentation of C — M? Of course no: in fact after we distribute the expression 
C — M = Y^^j=iPj9j1j obtain 

L 

C-M^Y^Y. PJ ' ^3 ' Pi e c, e F \ {0}; 

J = l i 

if we substitute each instance of g^^. with its Grobner representation deduced 
by our algorithm we simply have: 

L 

C - M = ^ ^ Cj CjK, Aj A,«^ h,^^^ p,^^ pj ; 

j=l i 
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thus if we properly reenumerate the summands we obtain a representation 

K 

C-M = Y^ dkXkK^Pk, AiT(/i,Jpi > A2T(/i,Jp2 ^ • • • 
fe=i 

but we can not rule out equalities; thus we don't obtain 

T(C - M) = \iT{K,)pi >■ \2T{K,)p2 > ... 

and wc cannot hope to successfully apply Buchberger reduction. 

In fact, we can trivially build a theoretical counter-example by argueing as 
follows: assume that 

:= AiT(/i,J/5i = A2T(/i,Jp2 \zT{h,^)p3 and di lc(/i, J + ^2 lc(/i. J = 0; 

as a consequence, I := diXih^^pi + d2\2h^.^p2 G I necessarily satisfies T(/) -< J7 
and has a Grobner representation 

I = Y,diKl.,Pi, T(Z) = AiT(7,Jpi ^ • • • 

in terms of T but not necessarily of H . Therefore, we can not discard the 
possibility that both 

XiT(7,Jpi = T(0 > A3T(/i,3)p3 and T(0 ^ l{T(h) -.hGH), 
so that 7u ^ H. In this unhappy, but realistic, situation we have the represen- 
tation 

K K I K 

C - M = ^ dkXkh.^Pk = ^ + dkXkKkPk = ^ diXiliiPi + dkXkh.^Pk 

k=l fe=3 fe=l k=3 

where 

AiT(7,Jpi >- XiT{jJpi and AiT(7,Jpi y X^Tih^p^ h XkT{h,,)pk,y i,k, 

so that necessarily T(C - M) = AiT(7tJpi ^ I({T(/i) : /i e iJ}) and we can 
not perform Bucheberger reduction. 

On the other side, in the commutative case, each potential message C nec- 
essarily satisfies 

deg(C) < A := max {deg(ri), deg(5fj) -h S, G T, gj e G} 

and thus D := A is a 'reasonable' guess for degree bound d{\). Of course the 
degree boimd A on the messages does not necessarily satisfy A > d{\), so 
that our solution of Problem 2 would not cryptoanalyse Barkee's scheme using 
D := A; however an implementation of Barkee's scheme in order to be protected 
against it must assure A <C 
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While cryptoanalysing Barkee's schemes is an irrelevant tasl^ we would hke 
to briefly point to a connected problem, which is equally irrelevant but at least 
is a combinatorial amusement. The technical tool used by the Barkee's scheme 
in order to write down an easy-to-produce Grobner basis was later revealed in [5] 
and simply consists into a combinatorial trick allowing, given any set of terms 
T := {ill, . . . , Vs} C T, to produce a polynomial set F := {71, . . . , 7^}, satisfying 
T(7i) = Vi, and giving a Grobner basis of the ideal it generates. 

In principle, a Barkee's scheme could write down a term set T and the related 
easy-to-produce Grobner basis F, fix a value Dq d(I(F)), extract from F the 
subset 

F' := {7 e F : deg(7) < Do} with the corresponding term set 
T' {T(7) : 7 e F'} = e T : deg{v) < £»o} C T 
and then produce the public set G just using the elements belonging to F' with 

Do<A:^ max{deg(r,),deg(gj) + B,T,e T,gj E G} < d{I{T)). 

Recalling that our commutative procedure only deals with terms into the 60a; 

BiD) := {X" 1 • ■ • X^" e T : < < D, V 1 < i < n}, 

and informally calling Dq- badly- connected a set of terms T such that, if we apply 
our procedure to it with the value D := Dq < max{deg(w) : w G T} we are 
unable to produce the set T' {v E T : deg(w) < Dq}, we remark that if T is 
Dfl-badly connected, then in a Barkee's scheme, it would be nearly sufficient to 
make public a set G C I(F') in order to dwarf the use of our procedure in order 
to cryptoanalyse it. 

The question, then, becomes the existence of badly connected sets of terms; 
we have the strong impression that the answer is negative^. Nevertheless, as 
we said above, we consider irrelevant to devote some time to this task. 
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